Jump to content

Recommended Posts

My server allows for setting custom mime types through htaccess, using this line:

 

AddType [mimetype name] [extension]

 

I am trying to set a custom mime type for files with ppf and sppf extensions, so I am using this:

 

AddType application/halo2-ppf ppf

AddType application/halo2-sppf sppf

 

Am I doing something wrong?  I added this to my top level htaccess file, it didn't work, so I added i to a htaccess file in the folder where the upload page is, and it still didn't work, am I doing something wrong?

Link to comment
https://forums.phpfreaks.com/topic/47202-setting-my-own-mime-types/
Share on other sites

php4, not 5, I can't use php5.  Anyways, I need the mime type to be a specific type so I can deny or accept the files being uploaded, but it keeps saying that they are

 

application/octet-stream

 

which is also executables and a lot of other filetypes, and NOT the ones I need.

application/halo2-ppf isn't an actual MIME type though - by custom MIME type it means custom extensions for pre-made MIMEs.

 

Valid:

AddType image/gif .gifimg

 

Invalid:

AddType madeup/mime-type .diffExt

 

Or if they do exist and Google is just crappin' out on me:

 

AddType application/halo2-ppf .ppf

AddType application/halo2-sppf .sppf

 

It has to be dotextension at the end

According to filext, .ppf has a corresponding MIME type of application/ppf.  You can use that one.  However, it says .sppf doesn't exist.

Anyways, the way you are going about it is really an inaccurate way of trying this.  Anyone can upload an executable file but change the extension to .ppf, which will trick your server into believing it is a application/ppf file.

How would I check that the file is either a ppf or sppf?  I know that it can be done, imageshack and other hosting sites do it, I need to make this secure and simple for the users.

 

Also, all the sites I've looked on said that there needs to not be a dot:

 

extension = the file’s designation. This should not include a dot (.):  if the file’s extension is .jpeg, you should only enter jpeg.
Guest prozente

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

Hah, that's funny.  You say the MIME can't be trusted.  What if I had an exe file, and used Windows magical "Rename" tool to change the exe to a ppf and upload it.
Guest prozente

When a file is uploaded check the files extension, that's all you need. Checking the MIME shouldn't be trusted and you don't have control over it anyway. The MIME type of files being uploaded to your server is set by the users browser. You can only control MIME on files being downloaded from your server.

Hah, that's funny.  You say the MIME can't be trusted.  What if I had an exe file, and used Windows magical "Rename" tool to change the exe to a ppf and upload it.

What's your point? ppf files aren't executable.

Doesn't matter if it's .ppf, .asjdfg, .jga or .fhg the point is, it's still an executable file, just not with that extension.  The only reason is because the windows shell doesn't see .ppf as an executable file, even though the code inside of it may surely be executable.  It's this same little "spoof" that can allow users to create so many types of executable files with varied extensions that will still harm the user's computer.

"I don't know what I speak of"...I find your ignorance quite hillarious.  You see, while you are correct in saying that windows will only run executable files if the extension is defined in the registry, you are far incorrect by saying that only .exe files can contain executable code which may harm a computer.  .doc, .xls, .ocx, .wmz, .xlm, .vbs, .bat, .pif, .reg, etc, may all harm a users computer.  Additionally, the point is not just about protecting users security or thinking that they download the virus.  I could simply use the server as a hosting site for all of my .exe files by just changing the extension to .ppf, whether or not I had an intention to use the maliciously or not.  Anyways, .exe is not the only file that can do damage, and believe it or not, quite a few people don't know what a .pif, .bat, or .reg file does...and may open it.  Same with .ocx, .wmz, .doc, .xls, etc.

 

Anyways, we're far off topic.  Feel free to just check for a certain extension, but you can pretty much just call your server a file host at that point.  I would suggest looking for some type of header in the file.  Some text that is consistent across all .ppf files.  For example, MP3 files have an ID3 tag header.  Just something that can identify it.  Even if it's not "foolproof" it'll be enough to make uploading more of a hassle than it's worth.

Guest prozente

You are going far off track, first I didn't say exe was the only executable file. Don't put words in my mouth. Don't call me ignorant. You claimed that renaming an exe to ppf would still leave the file as harmful. You are wrong in this sense. As was the topic MIME can't be trusted when looking at the MIME of a file that has been uploaded, as the MIME is set by th browser. Which is client side. Anything client side is to not be trusted. I'm not going on with this ridiculous pissing contest as you've taken this way offtopic.

You are going far off track...I'm not going on with this ridiculous pissing contest as you've taken this way offtopic.

LOL.  Anyways.  My final comments to you are that: extension changing is also client side, so why is it trusted?  And also, saying that a renamed .exe is no longer harmless is like saying a serial killer sleeping isn't harmless.  It's still harmless, just not in its current state.

 

Now, I really don't feel like continuing this argument any longer.  If you wish to continue, please PM me.  We have spammed this guy's topic enough without providing any help whatsoever.  Once again a simple statement or notice of insecurity led to a big blowout.  Wow.

...

...

 

Well, thank you to everyone who tried to help, the security of my server and my users is very important to me.  I am not uploading images, I am uploading patches for mods for Halo 2, in ppf and sppf format, I'm not sure if there is a header in the file or not, I will look.

 

And please don't argue anymore, thanks.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.